While managing compliance risk remains a high priority for organizations across the Middle East,[1] regulatory enforcement may not be the most immediate risk facing companies that do not have effective regulatory compliance programs. In the West, with decades of million-dollar fines and settlements,[2] the return on the investment in effective compliance programs is clear. Not only do effective compliance programs reduce the risk of violating the law, but they are also statutorily created incentives to reduce, and sometimes avoid, regulatory fines and penalties. For example, the US Federal Sentencing Guidelines require a reduction in fines and penalties for companies that have effective programs to prevent and detect violations of law in place at the time a violation occurs.[3] The UK Bribery Act also provides a complete defense against prosecution for companies with adequate procedures to prevent bribery.[4] Although the regulatory landscape of the Middle East is evolving, it may still be some time before the risk of regulatory enforcement reaches the levels seen in the West. This article presents one expat’s view of how business partner expectations and requirements around anti-bribery and corruption, sanctions, and personal data privacy (i.e., regulatory compliance) might be a more immediate driver of regulatory compliance in the Middle East.
Extended liability for non-compliance
To enforce compliance by Western companies, regulators extend criminal and civil liability throughout the supply chain, including activities performed in foreign countries. For example, for US companies, the Foreign Corrupt Practices Act (FCPA) expressly prohibits US persons and companies from making corrupt payments through third parties or intermediaries.[5]
The UK Bribery Act requires companies subject to its jurisdiction to assess business partnership risk, including “the use of intermediaries; consortia or joint venture partners; and relationships with politically exposed persons.”[6] For personal data, the General Data Protection Regulation (GDPR) holds the data controller responsible for demonstrating compliance with the personal data processing principle [7] and ensuring that third-party data processors implement appropriate technical and organizational measures to protect the rights of data subjects.[8] For sanctions, EU and US sanctions prohibit EU and US persons and entities from making economic resources available to sanctioned parties “indirectly” or by “exporting financial, legal or other services to non-US persons.”[9] Due to the extra-territorial reach of anti-bribery and corruption, sanctions, and personal data privacy laws, Western companies regularly conduct due diligence on foreign agents and customers as part of their effective compliance programs.
Third-Party Due Diligence
To demonstrate compliance throughout the supply chain, multinational companies regularly require suppliers to agree to their Supplier Code of Conduct (SCOC) while conducting business for them or on their behalf (see sample SCOC here).
Supplier Codes of Conduct regularly require compliance with all applicable laws and regulations, specifically referencing conflicts of interest, anti-bribery and corruption, and other laws relevant to their business and operations. Even major Saudi companies use Supplier Codes of Conduct to require their business partners to comply with laws and regulations, conflicts of interests, and anti-bribery and corruption policies and procedures that apply to their work (see sample SCOC here). In the financial arena, banking institutions, credit companies, and insurance agencies regularly conduct due diligence on their customers through Know Your Customer questionnaires (download sample here).
They also require assurances that the funds will not go to sanctioned parties through loan and credit agreements.[10] Personal data transfer agreements also hold data processors accountable for complying with personal data protection obligations. As others have noted, “adequate privacy programs will become part of the partner vetting process for many of the region’s marquee brand names . . . even in countries where personal data privacy requirements do not yet exist.”[11]
Evolving regulatory landscape
Even with the increasing regulatory compliance expectations of multinational business partners, the region’s regulatory landscape exists and is evolving. At the local level, the Corporate Governance Regulations in Bahrain and Saudi Arabia require the Board of Directors of publicly-traded companies to ensure compliance with the law. At the international level, countries in the Middle East that are signatories to the United Nations Convention Against Corruption are encouraged to develop and implement effective policies and practices to prevent corruption. While Middle Eastern companies have distributed their anti-bribery and corruption laws through penal codes and regulations, they do not cover the scope and application of the FCPA or the UK Bribery act. When it comes to personal data privacy, however, Bahrain, Qatar, and Saudi Arabia have recently implemented comprehensive, GDPR-inspired personal data protection laws. Other jurisdictions, such as the UAE, Kuwait, Oman, and Jordan, are also establishing national personal data privacy laws for the first time.[12]
Conclusion
Western companies regularly conduct due diligence on their foreign agents and customers to comply with their regulatory obligations and reduce the risk of crippling fines, penalties, and reputational damage from anti-bribery and corruption, sanction, and personal data privacy laws. They are also increasingly holding foreign agents and customers directly accountable for compliance with regulatory obligations, including those that may not yet exist in their country.
Moreover, as Middle Eastern economies integrate into the broader global community, they will need to access international financing, transfer personal data across borders, and demonstrate compliance with business partner expectations and requirements. At its best, having effective compliance programs can serve as a strategic advantage in a global economy. At its worst, companies that do not have effective compliance programs face a growing risk of being excluded from commercial opportunities.
EMME Advisory Services
EMME Advisory Services (EMME) was established to help companies in the Middle East and emerging markets identify and build the programs necessary to comply with relevant regulatory compliance risks, obligations, and expectations. Before establishing EMME, Granville Collins was responsible for building the Saudi Aramco programs necessary to comply with multinational regulatory compliance obligations, business partner requirements and expectations, and the Kingdom’s developing regulatory regime. For more information contactus@emme-advisory.com or visit www.emme-advisory.com.
[1] Green, M, Managing compliance risk, Where are you now? Deloitte, retrieved June 11, 2021, https://www2.deloitte.com/jo/en/pages/about-deloitte/articles/manage-yourself/managing-compliance.html?id=jo:2sm:3li:4dcom_share:5awa:6dcom:about_deloitte
[2] The Biggest Compliance Fines of the Decade, Planet Compliance, retrieved June 10, 2021, from https://www.planetcompliance.com/the-biggest-compliance-fines-of-the-decade/
[3] USSG §8C2.5(f)
[4] UK Bribery Act 2010 c.23,7(2)
[5] FCPA Resource Guide Second Edition, Criminal Division of the US Department of Justice and the Enforcement Division of the US Securities and Exchange Commission, page 22
[6] The Bribery Act 2010 c.23, 7.2 page 26
[7] EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons, the processing of personal data, and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1. Chapter 2, Article 5(2)
[8] EU General Data Protection Regulation (GDPR): Chapter 4, Section 1, Article 28
[9] Castille, M.A and Levy, M.R, U, S, and European Loan Markets: Comparative Approach to Sanctions Provisions, Faegre Drinker, retrieved June 10, 2021, from https://www.faegredrinker.com/en/insights/publications/2018/9/us-and-european-loan-markets-comparative-approach-to-sanctions-provisions
[10] Castille, M.A and Levy, M.R, U, S, and European Loan Markets: Comparative Approach to Sanctions Provisions
[11] Waterman, D, The Rise of Data Protection Compliance as a Risk – What Executives in the Middle East Need to Know, White Label Consultancy, June 3, 2021, from https://whitelabelconsultancy.com/2021/06/the-rise-of-data-protection-compliance-as-a-risk-what-executives-in-the-middle-east-need-to-know/
[12] Waterman, D, The Rise of Data Protection Compliance as a Risk – What Executives in the Middle East Need to Know,